mixin submit(action,text)
    br
    form(action=action)
        textarea(name='data')=text
        button(type='submit') 发送

include tpl
    | 反射型xss攻击，提交带有可执行代码的数据，来自http请求，可能被浏览器检测到
    +submit('msg','<script>alert(1)</script>')
    +submit('img','-" onerror="alert(1)')
    +submit('a','javascript:alert(1)')